LONDON–Equifax has been hit with the maximum possible fine under U.K. law for "multiple failures" that contributed to its massive 2017 data breach. Among those failures, said U.K. authorities, was its failure to act on a critical vulnerability alert issued by the U.S. Department of Homeland Security.
The company was assessed a £500,000 ($660,000) fine by the U.K.’s data protection authority, the Information Commissioner's Office, which is the U.K.'s data protection authority and enforces the country's privacy laws. Following an investigation into the breach - carried out in parallel with the U.K.'s Financial Conduct Authority - the ICO cited Equifax "for failing to protect the personal information of up to 15 million U.K. citizens during a cyberattack in 2017,” according to the organizations involved.
An investigation carried out by the ICO found that Equifax violated more than half of the country's applicable data protection principles.
‘Egregious Example’
In one particularly egregious example, the credit bureau was storing personal information, including plaintext passwords, in a testing environment "for the purposes of fraud prevention and password analysis," the ICO said in a statement. The company also failed to obtain users' consent for doing so, telling the ICO this would have created a security risk.
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce," says U.K. Information Commissioner Elizabeth Denham in a statement. "This is compounded when the company is a global firm whose business relies on personal data."